切记ajax中要带上AntiForgeryToken防止CSRF攻击
程序员文章站
2022-06-09 10:10:17
经常看到在项目中ajax post数据到服务器不加防伪标记,造成csrf攻击
在asp.net mvc里加入防伪标记很简单在表单中加入html.antiforgeryto...
经常看到在项目中ajax post数据到服务器不加防伪标记,造成csrf攻击
在asp.net mvc里加入防伪标记很简单在表单中加入html.antiforgerytoken()即可。
html.antiforgerytoken()会生成一对加密的字符串,分别存放在cookies 和 input 中。
我们在ajax post中也带上antiforgerytoken
@model webapplication1.controllers.person
@{
viewbag.title = "index";
}
<h2>index</h2>
<form id="form1">
<div class="form-horizontal">
<h4>persen</h4>
<hr />
@html.validationsummary(true, "", new { @class = "text-danger" })
<div class="form-group">
@html.labelfor(model => model.name, htmlattributes: new { @class = "control-label col-md-2" })
<div class="col-md-10">
@html.editorfor(model => model.name, new { htmlattributes = new { @class = "form-control" } })
@html.validationmessagefor(model => model.name, "", new { @class = "text-danger" })
</div>
</div>
<div class="form-group">
@html.labelfor(model => model.age, htmlattributes: new { @class = "control-label col-md-2" })
<div class="col-md-10">
@html.editorfor(model => model.age, new { htmlattributes = new { @class = "form-control" } })
@html.validationmessagefor(model => model.age, "", new { @class = "text-danger" })
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<input type="button" id="save" value="create" class="btn btn-default" />
</div>
</div>
</div>
</form>
<script src="~/scripts/jquery-1.10.2.min.js"></script>
<script src="~/scripts/jquery.validate.min.js"></script>
<script src="~/scripts/jquery.validate.unobtrusive.min.js"></script>
<script type="text/javascript">
$(function () {
//var token = $('[name=__requestverificationtoken]');
//获取防伪标记
var token = $('@html.antiforgerytoken()').val();
var headers = {};
//防伪标记放入headers
//也可以将防伪标记放入data
headers["__requestverificationtoken"] = token;
$("#save").click(function () {
$.ajax({
type: 'post',
url: '/home/index',
cache: false,
headers: headers,
data: { name: "yangwen", age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("error")
}
});
})
})
</script>
放在cookies里面的加密字符串
控制器中代码
using system;
using system.collections.generic;
using system.linq;
using system.net;
using system.web;
using system.web.helpers;
using system.web.mvc;
namespace webapplication1.controllers
{
public class homecontroller : controller
{
public actionresult index()
{
return view();
}
[httppost]
[myvalidateantiforgerytoken]
public actionresult index(person p)
{
return json(true, jsonrequestbehavior.allowget);
}
}
public class person
{
public string name { get; set; }
public int age { get; set; }
}
public class myvalidateantiforgerytoken : authorizeattribute
{
public override void onauthorization(authorizationcontext filtercontext)
{
var request = filtercontext.httpcontext.request;
if (request.httpmethod == webrequestmethods.http.post)
{
if (request.isajaxrequest())
{
var antiforgerycookie = request.cookies[antiforgeryconfig.cookiename];
var cookievalue = antiforgerycookie != null
? antiforgerycookie.value
: null;
//从cookies 和 headers 中 验证防伪标记
//这里可以加try-catch
antiforgery.validate(cookievalue, request.headers["__requestverificationtoken"]);
}
else
{
new validateantiforgerytokenattribute()
.onauthorization(filtercontext);
}
}
}
}
}
这里注释掉ajax中防伪标记在请求
$("#save").click(function () {
$.ajax({
type: 'post',
url: '/home/index',
cache: false,
// headers: headers,
data: { name: "yangwen", age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("error")
}
});
})
默认返回500的状态码。
这里修改ajax中的防伪标记
$(function () {
//var token = $('[name=__requestverificationtoken]');
//获取防伪标记
var token = $('@html.antiforgerytoken()').val();
var headers = {};
//防伪标记放入headers
//也可以将防伪标记放入data
headers["__requestverificationtoken"] = token+11111111111111111111111111111111111;
$("#save").click(function () {
$.ajax({
type: 'post',
url: '/home/index',
cache: false,
headers: headers,
data: { name: "yangwen", age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("error")
}
});
})
})
也是500的状态码。
以上内容就是本文的全部叙述,切记ajax中要带上antiforgerytoken防止csrf攻击,小伙伴们在使用过程发现有疑问,请给我留言,谢谢!